The Servlet Engine/Web Container and JSP components in IBM WebSphere Application Server (WAS) 5.1.0, 5.1.1.19, 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.23, and 7.0 before 7.0.0.3 allow remote attackers to read arbitrary files contained in war files in (1) web-inf, (2) meta-inf, and unspecified other directories via unknown vectors, related to (a) web-based applications and (b) the administrative console.
https://exchange.xforce.ibmcloud.com/vulnerabilities/49085
http://www.vupen.com/english/advisories/2009/1464
http://www.vupen.com/english/advisories/2009/1188
http://www.vupen.com/english/advisories/2009/0704
http://www.securityfocus.com/bid/34104
http://www-01.ibm.com/support/docview.wss?uid=swg27006876
http://www-01.ibm.com/support/docview.wss?uid=swg21380376
http://www-01.ibm.com/support/docview.wss?uid=swg21380233
http://www-01.ibm.com/support/docview.wss?uid=swg1PK81387
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24022456